- A Southern Africa reveals that the latest edition of the annual Veracode 2023 State of Software Security reports that applications grow in size by about 40% year on year irrespective of their original size. The research aims to assist businesses to meet the multiple challenges of reducing security debt and avoiding the introduction of security flaws that accumulate over the life of applications.Veracode uses hard data to identify the factors that contribute to the introduction of flaws and offer solutions that lead to faster remediation while lowering security debt and providing concrete steps you can take now to improve your application security programme for 2023 and beyond.
CA Southern Africa is the sole sub-Saharan Africa representative of CA Technologies, a Broadcom company. Veracode is a globally leading AppSec partner that creates secure software, reducing the risk of security breaches and thereby enhancing both security and development teams’ productivity.
Craig de Lucchi, CA Southern Africa Account Director, says: “Historically, the Veracode annual research examined the top flaw categories by language, but this year’s report took things a step further. Rather than merely identifying the top flaws by language, it was important to discover whether there were variations over the lifetime of an application in production. Perhaps more importantly, it examined what steps need to be taken to reduce the introduction of flaws at the outset. The data assisted in getting a better handle on flaw introduction, security debt accumulation and application life cycle management,†says De Lucchi.
The first thing that jumped out during analysis was that there were different inherent security postures for various languages. It was discovered that there is also a different rate at which flaws are remediated, leaving a higher (or lower) de facto chance that flaws will simply accumulate over time. “A developer might be interested to find out the most common flaws introduced and, once those are identified, take conscious steps to learn how to avoid them. Security people will be interested to see the rate of flaw accumulation and what that means to the overall risk posture,†he adds.
Accumulation of flaws is referred to as security debt and is a subset of technology debt which, in turn, is defined as the number of net flaws remaining when considering flaw introduction and remediation rates. Different languages are said to ‘pay down’ at different rates than they build up and that makes for a positive or negative difference in accumulation over time. “Different languages have inherently different security postures, environments and controls. Veracode is crystal clear on the fact that when they are talking about developers’ preferred programming language, they are not focusing on specific languages or programmers. It is acknowledged that flaws happen, and they happen in any and every programming language. These flaws, however, are not evenly distributed. The way different languages are architected and implemented can make some security mistakes easier (or harder) to make and that’s what we want to highlight to make us all better.
“Developers can compare how their languages perform and get a view of areas for future focus. Each language seems to have its own predisposition to high and critical-severity flaws that then end up appearing in large numbers,†notes De Lucchi.
The choice of programming language is noted to have an effect on the types of flaws that are most commonly introduced, and that in turn affects the ecosystem of libraries and third-party software. “Slowing down and taking a look at this reality is useful for organisations wishing to prioritise their training to know what the most common flaws are, and how they might be introduced. This basic awareness can influence code as it is being written, which is the best time to avoid introducing a flaw that could hang around throughout the life cycle of an application.
“In short, developer awareness of what the most common flaws are, and how they are introduced, can increase diligence and reduce the probability of introducing them at all – leading back to the main point that an ounce of prevention is worth a pound of cure,†De Lucchi concludes.